how much time does each of you (Martin in C, Ignas in Python) spend checking whether the library authors promise backwards compatibility, security updates, and whether they're likely to still be around 3 years from now?
@ayo so, I don't know how perl packaging works, but assuming it works like pip:
typically language-level package managers don't have the ability to add a dependency on OS-level tzdata... so I don't see an advantage of getting the source from a language-specific package repository as opposed to straight from the maintainer's website / github / etc
At my $dayjob, the reason I do anything about vulns at all is compliance with a standard.
But I look at the standard, try to figure out why someone would put a particular requirement in the standard, and try to think of something that we could do that is actually useful, that could also be argued to check the box.
@makdaam@domi@lanodan Now, you could argue that if the checkbox didn't shield companies from liability, they would care more about security, because simply ignoring vulns would get them sued to oblivion.
And maybe that is the case in some fields.
But IME it's more about the choice between trying to meet an impossible standard, and not giving a fuck thus doing nothing. 2/2
@makdaam@domi@lanodan don't worry about thread necromancy, it hasn't even been a week yet
So you're saying that the checkbox exists purely for performative/blameshifting purposes?
I think even if that is true, the side effect of complying with the checkbox is doing some good things. In this case - how do you make the CVE scanner happy without patching at least some vulns?
And if you patch some vulns, you're already doing better than those who don't give a fuck.
@ignaloidas@lanodan@domi@rozenglass is there any development model other than Linux's that'd ensure we get enough source code that we can build custom firmware for these devices?